Re: [Asrg] Empty mail transactions

[Gadi Evron <ge at linuxbox.org>]

Peter J. Holzer wrote:
> And now for something completely different :-)
>
>
> For at least several months I have been seeing a large number of empty
> mail transactions. Currently more than half of our connections consist
> only of an EHLO command. The client disconnects immediately after the
> response.
>
> Is anybody else noticing this? If so, do you have an idea what this is
> about? It looks like some kind of fingerprinting of course, but I'm
> curious why so many are interested in the version of our mail server and
> the extensions it supports. Maybe a worm trying to find a specific
> vulnerable SMTP server? 
>
> 	hp

Yes. We have seen this.

Actually, I found that when enough open connections are made (and 
obviously not closed), sendmail would eventually open enough processes 
to bring about an effective DoS, and die.

Our first encounter with this was with a bad application someone 
developed, the second was not so benign. No idea about what/who did it, 
but it did not persist like a worm usually would.

	Gadi.

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg